Email Authentication — SPF, DKIM, and DMARC

Email Authentication — SPF, DKIM, and DMARC
SPF Sender Policy DKIM Signed Keys DMARC Policy+Report ✓ SPF: pass ✓ DKIM: pass ✓ DMARC: pass DELIVERED ✓ Authenticated sender Not spoofed

Understand how SPF, DKIM, and DMARC work together to stop email spoofing and protect your domain’s reputation.

Email Authentication — SPF, DKIM, and DMARC

SPF, DKIM, and DMARC are three DNS-based email authentication standards that work together to prevent email spoofing and protect your domain from being used to send phishing emails.

How Email Spoofing Works (Without Authentication)

WITHOUT SPF/DKIM/DMARC — attacker can send email appearing to be from yourcompany.com.au ATTACKER evil.ru mail server From: ceo@yourco.com RECIPIENT’S MAIL SERVER No way to verify! VICTIM’S INBOX Sees: From: ceo@yourco.com Trusts it — gets scammed

The Three Standards Explained

SPF Sender Policy Framework DNS TXT record listing authorised mail servers Answers: “Is this server allowed to send for my domain?” DKIM DomainKeys Identified Mail Cryptographic signature added to outbound email Answers: “Was this email actually sent by the claimed domain?” DMARC Domain-based Msg Auth Policy: what to do when SPF or DKIM fails none → monitor only quarantine → to junk reject → block entirely
✓ Key Point
SPF + DKIM + DMARC p=reject is the gold standard. SPF and DKIM alone are not enough — DMARC is what actually tells receiving servers what to do when authentication fails. Without DMARC, a failing SPF check may still deliver the email. Start with p=none (monitoring only), analyse the reports, then move to p=quarantine, then p=reject.

DMARC Deployment Stages

StageDMARC PolicyEffect
1 — Monitorp=noneNo blocking — just receive reports on who is sending as your domain
2 — Quarantinep=quarantineFailed emails go to spam/junk
3 — Enforcep=rejectFailed emails are blocked entirely — your domain cannot be spoofed
⛔ Important
Many organisations set up SPF and DKIM but leave DMARC at p=none permanently. This provides visibility but no protection. A spoofed email claiming to be from your domain still reaches the recipient. Complete the deployment by moving to p=reject once you have verified all legitimate sending sources pass authentication.

Checking Your Domain’s Email Authentication

You can verify your domain’s SPF, DKIM, and DMARC records using free tools like:
  • MXToolbox (mxtoolbox.com) — check all three records
  • DMARC Analyser — review DMARC aggregate reports
  • Google Admin Toolbox — check deliverability
When checking a received email, look at the email headers for Authentication-Results: — this shows whether SPF, DKIM, and DMARC passed or failed.
Could a scammer send email as your domain right now?
If your DMARC policy is missing or stuck on p=none, anyone can spoof your domain to scam your customers and suppliers — and your legitimate email may be landing in junk folders too. Mobile Techs IT Service helps Gold Coast businesses get email authentication right: SPF, DKIM, and DMARC configured correctly for every sending service, DMARC reports monitored, and a safe staged move to p=reject that protects your brand without breaking your mail flow. Home users welcome too — on-site or remote, anywhere in Australia.